Author

Topic: more clarification on ANTI-EXfil and DETERMINISTIC NONCE (Read 191 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
It would appear that anti-exfil as used by Blockstream relies on a trusted RNG source to generate the initial random data. So it's basically designed to stop nonces from being used to recover the private key (see these links for details[/url]), but it doesn't actually ensure that the nonces are created from cryptographically secure entropy.

Deterministic nonces in general are bad, the best type of nonce is the completely random one with enough entropy.
sr. member
Activity: 616
Merit: 291
Bitcoin in Niger State💯
I went to study some of the technical aspects of bitcoin so I came across the anti-Exfil protocol. I am somehow confused about it because the anti-exfil protocol, as I read, can only be used for a single hardware and a single software. It is used to verify a transaction, and you should make sure it is not compromised. Still, on the study came another one called DETERMINISTIC NONCE, which is more complex and requires you to have more than one hardware and software with which I can sign the same transaction and verify that the signature is the same

So here I want to have more knowledge, which is the main reason for this question. I want to know the advantages and disadvantages of both the ANTI-EXFIL AND THE DETERMINISTIC NONCE.

Like you've pointed out of your read, the anti-exfil protocol can only work for a single hardware and a single software. This is it's disadvantage over the deterministic nonce. However, to add to that, it is also good to know that with the deterministic nonce, you may buy as many hardware wallets as you like to make sure they all give the same signature, and you can even test it against some airgapped software wallets like Electrum. You can also use Python to create your own simple RFC6979-compliant wallet to check the signature is the same.

There is no limit to the number of hardware and software wallets with which you can sign the same transaction to verify that the signature is the same with deterministic nonce whereas in anti-exfil, you will be limited to the single hardware and single software used to broadcast the transaction, and we have to hope that at least one of those is not compromised.

Follow this thread for more of the deeper problem-solving conversations: https://bitcoin.stackexchange.com/questions/116583/anti-exfil-protocol-cant-be-verified-on-multiple-hardware-wallets



sr. member
Activity: 728
Merit: 354
I went to study some of the technical aspects of bitcoin so I came across the anti-Exfil protocol. I am somehow confused about it because the anti-exfil protocol, as I read, can only be used for a single hardware and a single software. It is used to verify a transaction, and you should make sure it is not compromised. Still, on the study came another one called DETERMINISTIC NONCE, which is more complex and requires you to have more than one hardware and software with which I can sign the same transaction and verify that the signature is the same

So here I want to have more knowledge, which is the main reason for this question. I want to know the advantages and disadvantages of both the ANTI-EXFIL AND THE DETERMINISTIC NONCE.

you have explained everything mate. The advantage of deterministic nonce is that you can use more than one software and hardware, while with anti-exfill, you can use only one software or hardware to confirm a transaction. If not, it will leak your signature and private keys, which may show that you're not the owner of the transaction, and again, you cannot verify the anti-Exfil protocol on multiple hardware platforms.
full member
Activity: 448
Merit: 202
I went to study some of the technical aspects of bitcoin so I came across the anti-Exfil protocol. I am somehow confused about it because the anti-exfil protocol, as I read, can only be used for a single hardware and a single software. It is used to verify a transaction, and you should make sure it is not compromised. Still, on the study came another one called DETERMINISTIC NONCE, which is more complex and requires you to have more than one hardware and software with which I can sign the same transaction and verify that the signature is the same

So here I want to have more knowledge, which is the main reason for this question. I want to know the advantages and disadvantages of both the ANTI-EXFIL AND THE DETERMINISTIC NONCE.
Jump to: